Empower TM 2 Software

Transcription

1 Empower TM 2 Software 21 CFR PART 11 COMPLIANCE ASSESSMENT Revision A, December, of 14 Waters Corporation

2 Note: Information presented in this document assumes that the appropriate Empower 2 System Policies have been configured for Electronic Record (ER) and Electronic Signature (ES) support. Overview Is the system a Closed System, where system access is controlled by the persons who are responsible for the content of the electronic records that are on the system? Is the system an Open System, where system access is not controlled by the persons who are responsible for the content of the electronic records that are on the system? (e.g. A service provider controls and maintains access of the contents of the system, etc.). Does the system use an ID/ password combination? Does the system use tokens? Does the system use biometrics? /No/ No No No Revision A, December, of 14 Waters Corporation

3 Ref. /No/ Explanation Subpart B Electronic Records Controls for Closed Systems (a) Is the system validated? Waters Corporation has structurally validated Empower 2 software and supplies a certificate of structural validation with the Empower 2 software (a) Does the validation documentation show that Part 11 requirements have been met and are functioning correctly? (a) Is the system able to detect invalid records where applicable (e.g. invalid field entries, fields left blank that should contain data, values outside of limits)? (b) Is it possible to view the entire contents of the records? (b) Is it possible to print the entire contents of the records? (b) Is it possible to generate all the records electronically in a format that can be put on a portable medium (e.g. diskette or CD) or transferred electronically? Empower 2 software allows users to be compliant with 21 CFR Part 11, but complete compliance can only occur within a validated electronic records environment. Validation documentation is available for examination during an audit of the Waters quality system for data products development. Revision A, December, of 14 Waters Corporation

4 Ref. /No/ Explanation (c) Are records protected against intentional or accidental modification or deletion? (c) Is data archived off the system? If so, is the meta data (including the audit trail) archived as well? Can all the archived data be accurately retrieved after system upgrades? (d) Are there different levels of access based on user responsibilities (e.g. user, administrator) (if appropriate)? Is this documented and controlled? (d) Are user access levels approved by management or the system owner before assignment to a user? (d) Is there is a controlled, documented process for granting access to a new user, for changing privileges for an existing user and for deleting user accounts? The abilities to modify or delete data within the Empower 2 software application are specifically assigned privileges. All actions involving a creation, deletion or modification of data is audit trailed and requires user confirmation before changes are committed to the database. Meta data can be archived off the system and includes all information that is part of the electronic record, including audit trails. Archived data can be retrieved after system upgrades and procedures for this are defined in the documentation for each software release. User access is based on the concept of User Types. A user type defines a specific level of access based on allowed activities/responsibilities. Changes to user types are documented in the system audit trail. The ability to create, modify or delete user types are discrete privileges that may be assigned to specific individuals. User access levels are set and approved during the process of creating a user. Only an individual who has explicitly been given the privilege to create or alter a user account can change the access level for a particular user. User creation, modification and deletion are controlled through a software wizard, and is only accessible to appropriately privileged users. In addition, Empower 2 System Policies can be used to predefine specific aspects of the user creation process to ensure compliance with Part 11. Revision A, December, of 14 Waters Corporation

5 Ref. /No/ Explanation (d) Is there physical security and procedures to protect the server, database and system components from unauthorized access? (e) Is an electronic audit trail function automatically generated for all operator entries? (e) Is the audit trail completely outside the control and access of users (except for read-only access of the audit trail file)? Each organization must develop a controlled, documented procedure for managing system security and protection. A designated system administrator may configure audit trail settings on a per project basis. All activities for all users in projects with full audit trail turned on will be audit trailed, with no user types or activities treated differently. A designated system administrator may configure audit trail settings, no other users will have control over audit trails (e) Is it impossible to disable the audit trail function? The system audit trail cannot be disabled. Empower 2 data is stored in Projects and it is impossible to disable or modify audit trail settings for a project after its creation. A designated system administrator may configure audit trail settings (e) Is the system date and time protected from unauthorized change? (e) When data is changed or deleted, are all previous values still electronically available? The system date and time are taken from the server. The ability to change the system date and time is a privilege that is controlled through the computer operating system and not through the Empower 2 software. All previous values are stored in the embedded database. When data is changed, new values are added to the database, and previous information is not overwritten or obscured. The privileges to change or delete data may be assigned only to specific users. Revision A, December, of 14 Waters Corporation

6 Ref. /No/ Explanation (e) Is the audit trail data protected from accidental or intentional modification or deletion (read-only access)? (e) Are the electronic audit trails maintained and retrievable for at least as long as its respective electronic records? (e) Are the electronic audit trails readily available for inspections and audits? (e) Can selected portions of the audit trail be viewed and printed by inspectors? (e) Can selected portions of the audit trail be extracted in a transportable electronic format that can be read by regulatory agencies? Project audit trails cannot be modified or deleted. The system audit trail can be archived and removed and requires the active collaboration of 2 system administrators to sign off on this archival and removal before the process can begin. A binary archived system audit trail can be retrieved into the Empower 2 Offline System Audit Trail view for review and analysis. Audit trail are maintained either as part of project archives and database backups. In addition, the system audit trail may be specifically archived in either ASCII or binary format. Binary archives may be restored into the software at a later date for review. Audit trails are available both online in Empower 2 and can be archived for storage or offsite inspection. A binary archived system audit trail can be retrieved into the Empower 2 Offline System Audit Trail view for review and analysis. Full searching and filtering capabilities are available with the Empower 2 audit trails. The audit trail can be backed up to an ASCII file (.txt) or to a binary file. The ASCII file can be viewed in any file viewer, while the binary file can be restored into another Empower 2 system for searching and analysis in the Empower 2 Offline System Audit Trail view. Revision A, December, of 14 Waters Corporation

7 Ref. /No/ Explanation (e) If no audit trail is available, can the system detect that a record was altered since its last approval? (e) Are operator name, date, time, and indication of record (or file) creation, modification or deletion recorded in audit trail? (e) If the predicate regulation requires it, is the reason for a change included in the audit trail? (f) If the system requires sequenced steps, does it ensure that the actions are performed in the correct sequence? (g) Does the system ensure that only authorized individuals can use the system? (g) Does the system (or procedure) verify that an individual has the authority to electronically sign a record before allowing them to do so? (h) If it is a requirement of the system that data input or instructions can only come from specific input devices (e.g. instruments, terminals); does the system check for the correct device? Audit trails are available in the database. Alteration of information creates new values that are stored in the database. Records are not overwritten and full audit trails are available to document changes. This will require calling Waters and help from the Waters development team. Assuming the Empower 2 System Policies have been appropriately configured. Empower 2 software uses Wizards to ensure proper sequencing. In order to access the Empower 2 system, individuals must have a user account. This account will define the capabilities that user will have on the system. Without an account, no access to the system is allowed. The right to sign-off is a specifically assigned privilege. Users who have not been assigned this privilege may not electronically sign a record. Empower 2 designates appropriate input based on user authentication, and not device authentication. Raw data may only come from a device on which Empower 2 acquisition software has been configured. Other instructions may only come from devices on which Empower 2 database access has been configured and enabled. Revision A, December, of 14 Waters Corporation

8 Ref. /No/ Explanation (i) Is there documentation to show that persons who develop the system have the education, training and experience to perform their assigned tasks (including temporary and contract staff)? (i) Is there documentation to show that persons who maintain or use the system have the education, training and experience to perform their assigned tasks (including temporary and contract staff)? (i) Is there documentation to show that persons who use the system have the education, training and experience to perform their assigned tasks (including temporary and contract staff)? (j) Is there a written policy in place and enforced that holds individuals fully accountable and responsible for actions initiated under their electronic signatures? (k)(1) Is the distribution of, access to, and use of systems operation and maintenance documentation controlled? (k)(1) Is access to sensitive systems documentation restricted e.g., network security documentation, system access documentation? (k)(2) Is there a Change Control (or equivalent) SOP governing revisions to system documentation? Controls for Open Systems What controls ensure record authenticity, integrity, and confidentiality? Full documentation is available as part of an audit of Waters software development process. Empower 2 software is a closed system Is data encrypted? Empower 2 software is a closed system Revision A, December, of 14 Waters Corporation

9 Ref. /No/ Explanation Are digital signatures used? Empower 2 software is a closed system Signature Manifestations (a)(1) Do all electronically signed records contain the following information associated with the signing: Full printed name of the signer (a)(2) Do all electronically signed records contain the following information associated with the signing: Date and time of signing (a)(3) Do all electronically signed records contain the following information associated with the signing: Meaning of signature (e.g. review, approval)? (a) Are the date and time stamps applied automatically (vs. being keyed in by the user)? (a) Are date and time stamps derived in a consistent way in order to be able to reconstruct the sequence of events? (b) Is the above information subject to the same controls as electronic records? (audit trail, access control etc.) (b) Are changes to signatures included in the audit trail? (b) Do the printed name, date, time, and signature meaning appear in every human readable form of the electronic record? (e.g. all screens and printed reports) The user must configure the full name of the signer for it to appear on the report. Default meanings in the Empower 2 software include: review, approval, responsibility and authorship. Other signature meanings may be added to accommodate corporate requirements. Date and time stamps are the local date and time at the location where the signature was executed. The user must turn on Full audit Trail in the project for this to occur. Signatures may not be altered; new signatures may be added to a record and are fully audit trailed. Electronic records are shown in human readable form in the Preview section of Empower 2 and in printed reports. A table of electronic signatures can be placed on reports that are used to view electronic records. Revision A, December, of 14 Waters Corporation

10 Ref. /No/ Explanation Signature/Record Linking If handwritten signatures are executed to electronic records, are the handwritten signatures linked to the electronic record(s)? If the electronic record is changed, is the signer prompted to re-sign (via either manual procedures (SOP) or technical means)? Are the E-signatures linked (via technology, not procedures) to their corresponding electronic records to ensure that the signature cannot be excised, copied, or otherwise transferred to falsify an electronic record by ordinary means? Subpart C Electronic Signatures General Requirements (a) Is each E-signature unique to one individual? Handwritten signatures are not executed to electronic records. Handwritten signatures may be executed to a printed report, and such a report may include information identifying (and providing a link to) the original electronic record. All changes to an electronic record are audit trailed in the Empower 2 project in which the record is stored. The audit trail will include information on the user making the change, the date and time of the change, what was changed and the reason for the change. If electronic record information is modified, the electronic record can be re-signed in the Preview section of Empower 2. Each organization must develop a controlled, documented procedure to determine when a re-signing is required (a) Are E-signatures ever reused by, or reassigned to, anyone other than the original owner? (b) Is the individual identified adequately verified prior to issuance of an electronic signature? No Revision A, December, of 14 Waters Corporation

11 Ref. /No/ Explanation (b) Is there a procedure for reissuing forgotten passwords that verifies the requestor's identity? (c)(1) Has certification of the intent to use electronic signatures been submitted to the agency in paper form with a traditional handwritten signature? (c)(2) Can additional certification or testimony be supplied to show that an electronic signature is the legally binding equivalent of the signers handwritten signature? Electronic Signature Components and Controls (a)(1) Is the signature made up of at least two distinct identification components, such as an identification code and password? (a)(1)(i) If continuous signing sessions are used, are two (or more) E-signature components required for the initial signing? Each organization must submit their written intent for compliance with this Each organization must develop their controlled, documented procedure for compliance with this A signature comprises a user name and a password. The user name and password are required for the initial signing. Revision A, December, of 14 Waters Corporation

12 Ref. /No/ Explanation (a)(1)(i) If only one E-signature component is required for subsequent signings: Is the private component, known to and only useable by its owner, used for each subsequent signing? Is the user required to stay in close proximity to the workstation for the entire session? Is there an automatic logoff, or password protected screen saver that launches, after a short period of inactivity (with the password known only by one user)? (a)(1)(i) If a user leaves the workstation, do procedures and/or automatic controls ensure that it is treated as a non-continuous session? (a)(1)(ii) Are two (or more) E-signature components required for each signing during a noncontinuous signing session? (a)(2) Are non-biometric signatures only used by their genuine owners (e.g. by procedures or training reinforcing that non-biometric E-signatures are not "loaned" to co-workers or supervisors for overrides)? (a)(3) Are non-biometric signatures administered and executed so that unauthorized use requires the collaboration of two or more individuals? The account password is the private component Empower 2 software automatically ends the session after a period of time specified in Empower 2 System Policies Other Polices Section. An inactivity period can be set in the Empower 2 system policies. If this period is exceeded, the signoff session is terminated and the signoff window is closed. Empower 2 software automatically ends the signing session after a period of time specified in Empower 2 System Policies. The user name and password are required for each signature during a non-contiguous signing session. Each organization must develop its own controlled, documented procedure for compliance with this Each organization must develop their controlled, documented procedure for compliance with this Individual users cannot view any information on other user accounts unless they are explicitly given the Alter User privilege. Under no circumstances is access to another user s password available to any user. Revision A, December, of 14 Waters Corporation

13 Ref. /No/ Explanation (b) Are biometric E-signatures designed to ensure that they can be used only by their genuine owners? Controls for Identification Codes/Passwords (a) Are controls in place to maintain the uniqueness of each combined identification code and password, such that no two individuals can have the same combination of identification code and password? (a) Are controls (procedural or technical) in place to prevent the re-use of identification codes? (b) Is the issuance of identification codes and passwords periodically checked, recalled, or revised (e.g. to cover such events as password aging)? (b) Do passwords periodically expire and need to be revised? (b) Is there a procedure for recalling identification codes and passwords if a person leaves or is transferred? (c) Is a SOP in place directing action to be taken to electronically deauthorize lost, stolen, missing, or otherwise potentially compromised tokens, cards, and other devices used to carry or generate e- signature components? Empower 2 software does not use biometric E- signatures Empower 2 System Policies can be set to ensure that there must be unique combination of user names and passwords used on the system. Empower 2 System Policies can be used to ensure that passwords may not be reused for individual user accounts, and that user names cannot be reused for multiple users. Empower 2 System Policies can be used to set password aging based on corporate policies. Empower 2 System Policies can be used to set password aging based on corporate policies. Empower 2 allows a user account to be removed from active use. Each organization must develop controlled, documented procedures to ensure proper notification of user status changes. Empower 2 does not use tokens, cards or other devices to carry E-signature components. Revision A, December, of 14 Waters Corporation

14 Ref. /No/ Explanation (c) Does this SOP contain procedures for managing and controlling temporary or permanent token/ card replacements? (d) Are any attempts to unauthorized use detected and reported immediately to the system security unit (e.g. a system administrator is notified automatically by console message or paper) and, as appropriate, to organizational management? (e) Are there procedures covering the initial and periodic testing of devices, such as tokens or cards that bear or generate identification code or password information? (e) Does the testing include checks for proper functioning, performance degradation, and possible unauthorized alteration? Empower 2 does not use tokens, cards or other devices to carry e-signature components. When an invalid login attempt is made, an immediate notification is displayed on the consoles of all system administrators currently logged into the system. In addition, all system administrators not currently logged in will be informed when they next access the Empower 2 system. This information is also stored in the software message log and System Audit Trail. Empower 2 does not use tokens, cards or other devices to carry e-signature components. Empower 2 does not use tokens, cards or other devices to carry e-signature components. Revision A, December, of 14 Waters Corporation